To fix access denied you need to configure Active Directory permissions. Grant access to KeyVault.
1. Using PowerShell
Run next command:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'XXXXXXX' -ServicePrincipalName XXXXX -PermissionsToKeys decrypt,sign,get,unwrapKey
2. Using the Azure portal
- Open Key Vaults
- Select Access Policies from the Key Vault resource blade
- Click the [+ Add Access Policy] button at the top of the blade
- Click Select Principal to select the application you created earlier
- From the Key permissions drop down, select “Decrypt”, “Sign”, “Get”, “UnwrapKey” permissions
- Save changes